Instagram bug revealed! Chennai-based security researcher Laxman Muthiyah has said that he discovered a new account takeover vulnerability on Instagram.
Instagram bug revealed! Chennai-based security researcher Laxman Muthiyah has said that he discovered a new account takeover vulnerability on Instagram. The new vulnerability on the photo and video-sharing app, which is similar to the one Muthiyah had spotted in July, made him richer by $10,000 (roughly Rs 7.2 lakh). The bug allowed anyone to hack Instagram accounts without consent permission.
After reviewing the issue, Facebook announced that it will reward Muthiyah with a bounty of $10,000 as part of the social network’s bug bounty programme. Facebook has now fixed the vulnerability that Muthiyah reported. “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme,” Muthiyah said in a blog post.
Explaining the new vulnerability in Instagram, Muthiyah said that the same Device ID – the unique identifier used by Instagram server to validate password reset codes – can be used to request multiple passcodes of different users. The Device ID is a random string generated by the Instagram app. The latest vulnerability shows that the Device ID can be used to request passcodes of different Instagram users.
He demonstrated through an example that this vulnerability can be exploited by hackers to gain illegal access to Instagram accounts. “When we request passcodes of multiple users, we are increasing the probability of hacking accounts,” he said.
There are one million probabilities for a 6-digit passcode and “when we request passcodes of multiple users, we are increasing the probability of hacking accounts”. So to minimise the number of probabilities, the attacker needs to request passcodes of more users. “Therefore, an attacker should request codes of 1 million users to complete the attack with 100 per cent success rate,” he explained in his blog post. The exploit would allow a person to hack one million users account but the attack should happen within the time frame of 10 minutes as the codes expire after this time limit.
“You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery,” Facebook said in a letter to Muthiyah.
Last month, Muthiyah discovered that it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account. He had won $30,000 (roughly Rs 21.6 lakhs) from Facebook.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in his blog post.